Clock-synced transient encryption

ABSTRACT

A request for a transaction between a client system and a server system may be processed. The transaction may be associated with transmission of data between the client system and the server system. The data may be encrypted using a transient encryption key to form encrypted data. The transient encryption key may be a synced-clock random number configured to automatically change when a designated time interval elapses. The encrypted data may be transmitted between the client system and the server system.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure as it appears in the United States Patent andTrademark Office patent file or records but otherwise reserves allcopyright rights whatsoever

FIELD OF TECHNOLOGY

This patent document relates generally to encryption and morespecifically to clock-synced transient encryption.

BACKGROUND

“Cloud computing” services provide shared resources, applications, andinformation to computers and other devices upon request. In cloudcomputing environments, services can be provided by one or more serversaccessible over the Internet rather than installing software locally onin-house computer systems. Users can interact with cloud computingservices to undertake a wide range of tasks. A variety of securitythreats such as man-in-the-middle-style attacks may be present in such acomputing environment.

BRIEF DESCRIPTION OF THE DRAWINGS

The included drawings are for illustrative purposes and serve only toprovide examples of possible structures and operations for the disclosedinventive systems, apparatus, methods and computer program products forclock-synced transient encryption. These drawings in no way limit anychanges in form and detail that may be made by one skilled in the artwithout departing from the spirit and scope of the disclosedimplementations.

FIG. 1 shows a flowchart of an example of a method for initializingclock-synced transient encryption, performed in accordance with someimplementations.

FIG. 2 shows a block diagram of an example of a configuration, whichincludes a security system for encrypting and/or decrypting data usingclock-synced transient encryption, in accordance with someimplementations.

FIG. 3 shows a flowchart of an example of a method for encrypting and/ordecrypting data using clock-synced transient encryption, performed inaccordance with some implementations.

FIG. 4 shows a block diagram of an example of encryption and decryptionof data using clock-synced transient encryption during a particularclient-server transaction, in accordance with some implementations.

FIG. 5 shows a block diagram of an example of an environment thatincludes an on-demand database service configured in accordance withsome implementations.

FIG. 6A shows a system diagram of an example of architectural componentsof an on-demand database service environment, configured in accordancewith some implementations.

FIG. 6B shows a system diagram further illustrating an example ofarchitectural components of an on-demand database service environment,in accordance with some implementations.

FIG. 7 illustrates one example of a computing device, configured inaccordance with one or more embodiments.

DETAILED DESCRIPTION

Some implementations of the disclosed systems, apparatus, methods andcomputer program products are configured for implementing clock-syncedtransient encryption. As described in further detail below, suchclock-synced transient encryption may provide application layer securityto client-server transactions. By way of example, using the techniquesdiscussed below, a security system may be established such thattransactions between a client system and a server system are encryptedand decrypted using a clock-synced (e.g., using a clock accessible tothe client system and the server system) transient encryption keyderivable by the client system and the server system.

While transport layer security (TLS) provides many solutions to avariety of security concerns, TLS-based schemes alone are unable tomitigate man-in-the-middle-style attacks when a trusted certificate hasbeen compromised. By way of illustration, Fanny is a customer ofMansfield Bank. Fanny uses the Mansfield Bank web application for mostof her banking needs. Unfortunately, Fanny's digital certificate for theMansfield Bank web application has been compromised. As a result, Mrs.Norris is able to act as a man-in-the-middle and intercept thetransactions between Fanny's computing device and the Mansfield Bank webapplication. In doing so, Mrs. Norris is able to steal Fanny's log-ininformation and steal from Fanny's accounts at Mansfield Bank.

Some existing techniques such as certificate pinning may be usedmitigate man-in-the-middle-style attacks when a digital certificate iscompromised; however, such approaches are ineffective against anattacker who has access to a sensitive channel during first trustestablishment. Continuing with the above example, since she had accessto Fanny's computing device for an extended period of time, Mrs. Norrisalready compromised Fanny's web browser when first trust was establishedbetween Fanny's computing device and the Mansfield Bank web application.Therefore, any sensitive data that passes between Fanny's web browserand the Mansfield Bank application server (e.g., her login information)will not be protected using these conventional techniques.

By contrast, using the disclosed techniques, man-in-the-middle-styleattacks may be thwarted, even when a digital certificate is compromised.Moreover, such techniques may be seamlessly integrated within anexisting web application, Returning to the above example, as discussedbelow, a seed value may be stored on a Mansfield Bank applicationserver. The seed value may transmitted to Fanny's computing devicethrough an uncompromised channel to which Mrs. Norris does not haveaccess (e.g., via a short message service (SMS) text message.) In someimplementations, the seed value may instead be transmitted via the samechannel as normal client-server communication (e.g., via a web browser.By way of example, the seed value may be transmitted to a client systemvia a web browser when trust on first use (TOFU) is been establishedand/or depending on security requirements. For instance, when a laptopis first provisioned to an employee at an organization, a seed value maybe safely placed on the laptop via most channels, since the laptop hasnot been out of the hands of trusted members of the organization.

Returning to the above example, the seed value may then be stored onFanny's computing device (e.g., in her browser cache.) A transientencryption key may be generated in tandem on Fanny's computing deviceand the Mansfield Bank Servers. As discussed in further detail below,the transient encryption key may be generated using time-based one-timepassword (TOTP) techniques that apply a secure hashing algorithm (SHA)using the seed value and a current time-stamp. This process results in atransient encryption key that may be automatically changed periodicallyafter a designated time interval elapses (e.g., 30 seconds). Asdiscussed below, the transient encryption key may be a “synced-clockrandom number” in that the time-stamp used to generate the transientencryption key may be based on a particular clock that is accessible tothe Mansfield Bank servers and Fanny's computing device. Since Fanny'scomputing device and the Mansfield Bank servers have access to both theseed value and the time stamp used to generate the transient encryptionkey, data associated with all transactions between Fanny's computingdevice and the Mansfield Bank servers may be encrypted using thetransient encryption key. Because the seed value is not known to Mrs.Norris, she is unable to decrypt any data she intercepts between Fanny'scomputing device and the Mansfield Bank servers. Furthermore, becausethe transient encryption key changes frequently, even if Mrs. Norriswere able to decrypt a small amount of data associated with a particularclient-server transaction, she would not be able to decrypt dataassociated with future client-server transactions.

The disclosed techniques can be used to protect data in a wide range ofscenarios. Returning to the above example, the IT team at Fanny's placeof employment may have access to Fanny's digital certificates via herlaptop. As such, Henry, a member of the IT team, may attempt to stealFanny's banking information. As discussed above, Mansfield Bank may usethe synced-clock transient encryption techniques discussed above. As aresult, even though he has access to Fanny's digital certificate, Henrywill not be able to decrypt the data associated with transactionsbetween Fanny's laptop and Mansfield bank.

FIG. 1 shows a flowchart of an example of a method 100 for initializingclock-synced transient encryption, performed in accordance with someimplementations. FIG. 1 is described in the context of FIG. 2, whichshows a block diagram of an example of a configuration 200, whichincludes a security system for encrypting and/or decrypting data usingclock-synced transient encryption, in accordance with someimplementations.

At 104 of FIG. 1, a seed value is generated. By way of example, inresponse to a request from a client system to initiate a securerelationship with a server system, the server system may generate a seedvalue, as described above. By way of illustration, client system 204 ofFIG. 2 may be interacting with a web application hosted by server system208. As transactions occur between the client system 204 and the serversystem 208, the client system 204 and the server system 208 may exchangedata 212. As described above, a man-in-the-middle-style hacker mayattempt to intercept the data 2:12. As such, the user may of the clientsystem 204 may wish to initiate a secure relationship with the serversystem 208. By way of illustration, the user may install a browserplug-in on the client system 204. The browser plug-in may be configuredto encrypt and decrypt the data 212 using clock-synced transientencryption techniques described herein. In response to installation ofthe browser plugin on the client system 204, the server system maygenerate seed value 216. The seed value may 216 be any entity capable ofbeing hashed to create an encryption key as described herein. Forexample, the seed value 216 may be a random alpha-numeric entity such asa large random number. In some implementations, the seed value 216 maybe capable of being encoded or stored in a variety of manners (e.g., ina quick response (OR) code.)

A person having skill in the art can appreciate that the disclosedtechniques may be applied to any type of client-server transaction. Assuch, the client system 204 and the server system 208 may include anyconfiguration of devices or systems capable of communicating via aclient-server model. By way of illustration, the client system 204 mayinclude a wide variety of client devices such as a desktop, a laptop, amobile device such as a smartphone or tablet, a wearable device such asa smartwatch or smart glasses, a set-top box, etc. Similarly, the serversystem 208 may include a wide variety of server devices such as anapplication server hosting a customer relationship management (CRM)platform and/or a social networking system provided to a plurality oftenant organizations via an on-demand computing environment such as aplatform provided Salesforce.com® (as discussed in further detailbelow), a server hosting a web application associated with a bank, aserver storing medical records, a server storing credit cart data, etc.

Returning to FIG. 1, at 108 the seed value is transmitted. By way ofillustration, the server system 208 of FIG. 2 may transmit the seedvalue 216 to the client system 204. The seed value 216 may be stored onthe client system 204, e.g. in the browser cache on the browser in whichthe browser plug-in discussed above is installed.

The seed value 216 may be transmitted from the server system 208 to theclient system 204 via a trusted channel. For example, such a trustedchannel may include any channel separate from the channel by which data212 is transmitted between the server system 208 and the client system204 during ordinary client-server transactions. By way of illustration,as discussed above, the data 212 may be associated with transactionsoccurring via a web browser. Therefore, the seed value 216 may betransmitted from the server system 208 to the client system 204 via anyother channel other than the web browser. For instance, in someimplementations, the seed value 216 may be transmitted from the serversystem 208 to the client system 204 via a variety of channels such as aSMS text message, an application that is separate from the web browser,an email, a telephone call, a QR code sent via a channel that isseparate from the web browser, a separate device such as a UniversalSerial Bus (USB) stick, another third party communication channel, etc.

In some implementations, the seed value 216 may itself be a temporaryentity. For instance, the seed value 216 may be configured toautomatically expire after a particular period of time and/or afteroccurrence of a particular event, By way of example, Mary may be using aparticular computing device for limited time (e.g., she may be borrowingthe computing device, she may be renting the computing device, she maybe using the computing device in her capacity as a temporary worker,etc.). As such, a seed value may be transmitted to Mary's computer usingthe above-described techniques; however, the seed value may beconfigured to expire automatically when Mary returns the computingdevice and/or after a certain time period elapses.

At 112 of FIG. 1, a transient encryption key is generated. By way ofexample, the client system 204 and the server system 208 of FIG. 2 mayeach separately generate the transient encryption key by applying asecure hash algorithm (SHA) (e.g., any suitable SHA such as SHA-256 orSHA-512, SHA-3 such as SHA3-256 or SHA3-512, etc.) to the seed value 216and a current time-stamp generated based on a designated clock 220. Onehaving skill in the art can appreciate that the disclosed techniques arenot limited to the SHAs described above and can be implemented using anysuitable cipher such as Saisa20.

The designated clock 220 may be any clock to which the server system 208and the client system 204 both have access. For instance, some examplesof such clocks may include Greenwich Mean Time (GMT), Indian StandardTime (IST), Pacific Daylight Time (PDT), any oscillator to which thefrequency is available to the client system 204 and the server system208, etc.

In some implementations, when the dock of the client system 204 and theclock of the server system 208 do not match, an error will be generated.As such, the client system 204 and the server system 208 canre-synchronize to the designated clock 220 such that the clock-syncedtransient encryption techniques described herein will continue tofunction properly.

After a given time interval the transient encryption key may beautomatically changed using the TOTP techniques described in thepreceding paragraph. By way of example, every 30 seconds the clientsystem 204 and the server system 208 may each separately automaticallyre-calculate the transient encryption key by applying a SHA to the seedvalue 216 and a new time-stamp generated based on a current time stampretrieved from designated clock 220 at the time of re-calculation of thetransient encryption key. As such, the transient encryption key may beautomatically changed irrespective of the Internet connectivity ofclient system 204. By way of example, a browser plug-in operating on theclient system 204 may automatically re-apply a SHA to the seed value 216and the time stamp at any designated time interval without anycommunication with the server system 208. Similarly, a module on theserver system 208 may automatically re-apply a SHA to the seed value 216and the time stamp without any communication with the client system 204.

The time interval after which the transient encryption key is changedmay vary across implementations. For example, such a time interval mayinclude any amount of time, e.g., 1 ms, 30 seconds, 1 minute, 2 hours,etc. In some implementations, the time interval may be determined basedon weighing security concerns with computational practicality. By way ofillustration, automatically changing the transient encryption key everymicro-second may be computationally impractical. On the other hand,automatically changing the transient encryption key only once a day mayallow a hacker to have sufficient time to determine the transientencryption key, giving him or her access to the data associated with anentire day of client-server transactions.

Returning to FIG. 1, at 116, a checksum is processed. By way of example,the client system 204 of FIG. 2 may generate a checksum of an initialvalue of the transient encryption key. The checksum of the initial valueof the transient encryption key may then be sent to the server system208 as acknowledgement that initialization of a secure relationshipbetween the client system 204 and the server system 208 has occurred.

One having skill in the art can appreciate that use of a checksum is oneof many mechanisms for evaluating that the seed value has been appliedcorrectly. By way of example, the seed may be checked manually, once theseed value is stored, a notification may be automatically sent forapproval, etc.

After such initialization the browser plug-in may no longer interactwith the server system 208. As described above, the server system 208and the client system 204 may separately and continuously re-calculatethe transient encryption key every time a time interval elapses, causingthe transient encryption key to be automatically changed every time thetime interval elapses. Since the transient encryption key is based onthe seed value 216 (which is stored on both the server system 208 andthe client system 204) and the designated clock 220 (which is accessibleto both the server system 208 and the client system 204) the transientencryption key calculated by the client system 204 will match thetransient encryption key calculated by the server system 208 at anygiven time. Accordingly, the data 212 transmitted from the client system204 to the server system 208 can be encrypted by encrypter/decrypter224(a) of the client system 204 using the transient encryption key anddecrypted by encrypter/decrypter 224(b) of the server system 208 usingthe transient encryption key as described further below in the contextof FIG. 3, Similarly, the data 212 transmitted from the server system208 to the client system 204 can be encrypted by the encrypter/decrypter224(b) of the server system 208 using the transient encryption key anddecrypted by the encrypter/decrypter 224(a) the client system 204 usingthe transient encryption key as described further below in the contextof FIG. 3.

FIG. 3 shows a flowchart of an example of a method for encrypting and/ordecrypting data using clock-synced transient encryption, performed inaccordance with some implementations. FIG. 3 is described in the contextof FIGS. 2 and 4. FIG. 4 shows a block diagram of an example ofencryption and decryption of data using clock-synced transientencryption during a particular client-server transaction, in accordancewith some implementations.

At 304 of FIG. 3 a request for a transaction is processed. By way ofexample, in FIG. 4, Fanny is logging into the Mansfield Bank webapplication via browser window 400, which is a browser window of a webbrowser operating on Fanny's laptop. When Fanny types in her logininformation (e.g., her username and password) and clicks submit button404, Fanny's login request may be automatically intercepted by browserplug-in 408. The browser plug-in 408 may automatically intercept Fanny'slogin request prior to any data associated with the transaction (e.g.,Fanny's username and password) being transmitted to Mansfield Bankapplication server 412.

In some implementations, the browser plug-in 408 may be configured tointercept all transactions between Fanny's laptop and the Mansfield Bankapplication server 412. As such, the browser plug-in 408 may apply thedisclosed application layer encryption techniques to all data beingtransmitted between Fanny's laptop and the Mansfield Bank applicationserver 412.

Returning to FIG. 3, at 308, the data associated with the transaction of304 is encrypted using the transient encryption key. Returning to theabove example, the browser plug-in 408 may retrieve Fanny's seed valuefrom browser cache 416. As discussed above, the transient encryption keymay be generated by applying a SHA, using the seed value and atime-stamp, which is based on a designated clock accessible to thebrowser plug-in 408 and to the Mansfield Bank application server 412.The browser plug-in 408 may then encrypt Fanny's username and passwordusing the transient encryption key using standard encryption techniquesto generate encrypted data 420.

Optionally, at 312 of FIG. 3, TLS encryption/decryption is applied tothe encrypted data of 316. By way of example, applying, before theencrypted data 420 of FIG. 4 are transmitted from Fanny's laptop to theMansfield Bank application server 412, TLS encryption 424 may beapplied. Similarly, when the encrypted data 420 is received at theMansfield Bank application server 412, TLS decrypter 440 can perform TLSdecryption on the encrypted data 420, as described in further detailbelow.

While current protocols are associated with the routine use of transportlayer encryption, one having skill in the art can appreciate that theapplication layer encryption techniques discussed herein may beindependent from TLS encryption. As such, in some implementations, datamay be encrypted using a transient encryption key and transmittedbetween a client system and a server system without the additional layerof TLS encryption.

At 316 of FIG. 3, the encrypted data of 312 is transmitted between theclient system and the server system. By way of example, the encrypteddata 420 of FIG. 4 is transmitted from Fanny's laptop to the MansfieldBank application server 412. As described above, since the transientencryption key is generated based on a seed value that is accessible tothe browser plug-in 408 and the Mansfield Bank application server 412but not to man-in-the-middle-style hacker 428, hacker 428 will not beable to decrypt the encrypted data 420. Moreover, as discussed above,even if the hacker 428 is able to somehow determine the transientencryption key at a given point in time, he or she will be unable todetermine future values of the transient encryption key as the transientencryption key is automatically changed periodically.

At 320, of FIG. 3, the encrypted data of 312 is decrypted. By way ofexample, as discussed above in the context of FIGS. 1 and 2, theMansfield Bank application server 412 of FIG. 4 may store Fanny's seedvalue. As such the Mansfield Bank application server 412 mayperiodically re-calculate the transient encryption key by applying aSHA, using the seed value and the time-stamp based on the designatedclock accessible to the browser plug-in 408 and to the Mansfield Bankapplication server 412. Application encrypter/decrypter 432 may thendecrypt the encrypted data 420 with the transient encryption key usingstandard decryption techniques. Once the encrypted data 420 isdecrypted, the application encrypter/decrypter 432 may pass Fanny'susername and password to application processes 436. Optionally, if TLSencryption was also applied to the encrypted data 420, TLS decrypter 440may decrypt the TLS encryption of encrypted data 420.

While the transaction discussed above in the context of FIG. 4 relatesto clock-synced transient encryption of data being transmitted from aclient system to a server system, one having skill in the art canappreciate that method 300 of FIG. 3 can be applied bidirectionally. Byway of example, any data being transmitted from the Mansfield Bankapplication server 412 may be encrypted using the transient encryptionkey prior to transmission to Fanny's laptop, and decrypted by thebrowser plug-in 408 operating on Fanny's laptop using theabove-described techniques.

A person having skill in the art can appreciate that the above-describedtechniques can be used to provide application-layer security to anexisting web application without having to overhaul the web application.By way of illustration, as discussed above, the security systemsdisclosed herein may simply be implemented using a browser plug-in. Assuch, this scheme could work on top of any web application capable ofusing the browser in which such a browser plug-in is installed.

While some of the security systems disclosed herein are described asbeing implemented via browser plug-ins, one having skill in the art canappreciate that the disclosed techniques may be applied in a variety ofmanners, and can be applied to any client-server communication. Forinstance, upon wide-scale acceptance of the disclosed techniques, thesecurity systems described above may be implemented in a web browseritself. For example the web browser could store seed values associatedwith a variety of entities such as web applications. Transactionsbetween a client system operating the web browser and the webapplications may be automatically encrypted using the above-describedtechniques. In yet another implementation, the disclosed techniques maybe implemented directly in a mobile application. By way of example, amobile application operating on a user's client system could store theuser's seed value and could encrypt and decrypt all data associated withany transactions between the client system and any servers implementingthe mobile application using the above-described techniques. One havingskill in the art can appreciate that, in some implementations, securestorage of a mobile application may be desirable.

FIG. 5 shows a block diagram of an example of an environment 510 thatincludes an on-demand database service configured in accordance withsome implementations. Environment 510 may include user systems 512,network 514, database system 516, processor system 517, applicationplatform 518, network interface 520, tenant data storage 522, tenantdata 523, system data storage 524, system data 525, program code 526,process space 528, User Interface (UI) 530, Application ProgramInterface (API) 532, PL/SOQL 534, save routines 536, application setupmechanism 538, application servers 550-1 through 550-N, system processspace 552, tenant process spaces 554, tenant management process space560, tenant storage space 562, user storage 564, and applicationmetadata 566. Some of such devices may be implemented using hardware ora combination of hardware and software and may be implemented on thesame physical device or on different devices. Thus, terms such as “dataprocessing apparatus,” “machine,” “server” and “device” as used hereinare not limited to a single hardware device, but rather include anyhardware and software configured to provide the described functionality.

An on-demand database service, implemented using system 516, may bemanaged by a database service provider. Some services may storeinformation from one or more tenants into tables of a common databaseimage to form a multi-tenant database system (MTS). As used herein, eachMTS could include one or more logically and/or physically connectedservers distributed locally or across one or more geographic locations.Databases described herein may be implemented as single databases,distributed databases, collections of distributed databases, or anyother suitable database system. A database image may include one or moredatabase objects. A relational database management system (RDBMS) or asimilar system may execute storage and retrieval of information againstthese objects.

In some implementations, the application platform 18 may be a frameworkthat allows the creation, management, and execution of applications insystem 516. Such applications may be developed by the database serviceprovider or by users or third-party application developers accessing theservice. Application platform 518 includes an application setupmechanism 538 that supports application developers' creation andmanagement of applications, which may be saved as metadata into tenantdata storage 522 by save routines 536 for execution by subscribers asone or more tenant process spaces 554 managed by tenant managementprocess 560 for example. Invocations to such applications may be codedusing PL/SOQL 534 that provides a programming language style interfaceextension to API 532. A detailed description of some PL/SOQL languageimplementations is discussed in commonly assigned U.S. Pat. No.7,730,478, titled METHOD AND SYSTEM FOR ALLOWING ACCESS TO DEVELOPEDAPPLICATIONS VIA A MULTI-TENANT ON-DEMAND DATABASE SERVICE, by CraigWeissman, issued on Jun. 1, 2010, and hereby incorporated by referencein its entirety and for all purposes. Invocations to applications may bedetected by one or more system processes. Such system processes maymanage retrieval of application metadata 566 for a subscriber makingsuch an invocation. Such system processes may also manage execution ofapplication metadata 566 as an application in a virtual machine.

In some implementations, each application server 550 may handle requestsfor any user associated with any organization. A load balancing function(e.g., an F5 Big-IP load balancer) may distribute requests to theapplication servers 550 based on an algorithm such as least-connections,round robin, observed response time, etc. Each application server 550may be configured to communicate with tenant data storage 522 and thetenant data 523 therein, and system data storage 524 and the system data525 therein to serve requests of user systems 512. The tenant data 523may be divided into individual tenant storage spaces 562, which can beeither a physical arrangement and/or a logical arrangement of data.Within each tenant storage space 562, user storage 564 and applicationmetadata 566 may be similarly allocated for each user. For example, acopy of a user's most recently used (MRLJ) items might be stored to userstorage 564. Similarly, a copy of MRU items for an entire tenantorganization may be stored to tenant storage space 562. A UI 530provides a user interface and an API 532 provides an applicationprogramming interface to system 516 resident processes to users and/ordevelopers at user systems 512.

System 516 may implement a transient clock-synced encryption system. Forexample, in some implementations, system 516 may include applicationservers configured to implement and execute a variety of softwareapplications. The application servers may be configured to providerelated data, code, forms, web pages and other information to and fromuser systems 512. Additionally, the application servers may beconfigured to store information to, and retrieve information from adatabase system. Such information may include related data, objects,and/or Webpage content. With a multi-tenant system, data for multipletenants may be stored in the same physical database object in tenantdata storage 522, however, tenant data may be arranged in the storagemedium(s) of tenant data storage 522 so that data of one tenant is keptlogically separate from that of other tenants. In such a scheme, onetenant may not access another tenant's data, unless such data isexpressly shared.

Several elements in the system shown in FIG. 5 include conventional,well-known elements that are explained only briefly here. For example,user system 512 may include processor system 512A, memory system 51213,input system 512C, and output system 512D. A user system 5:12 may beimplemented as any computing device(s) or other data processingapparatus such as a mobile phone, laptop computer, tablet, desktopcomputer, or network of computing devices. User system 12 may run anInternet browser allowing a user (e.g., a subscriber of an MTS) of usersystem 512 to access, process and view information, pages andapplications available from system 516 over network 514. Network 514 maybe any network or combination of networks of devices that communicatewith one another, such as any one or any combination of a LAN (localarea network), WAN (wide area network), wireless network, or otherappropriate configuration.

The users of user systems 512 may differ in their respective capacities,and the capacity of a particular user system 512 to access informationmay be determined at least in part by “permissions” of the particularuser system 512. As discussed herein, permissions generally governaccess to computing resources such as data objects, components, andother entities of a computing system, such as a social networking systemand/or a CRM database system. “Permission sets” generally refer togroups of permissions that may be assigned to users of such a computingenvironment. For instance, the assignments of users and permission setsmay be stored in one or more databases of System 516. Thus, users mayreceive permission to access certain resources. A permission server inan on-demand database service environment can store criteria dataregarding the types of users and permission sets to assign to eachother. For example, a computing device can provide to the server dataindicating an attribute of a user (e.g., geographic location, industry,role, level of experience, etc.) and particular permissions to beassigned to the users fitting the attributes. Permission sets meetingthe criteria may be selected and assigned to the users. Moreover,permissions may appear in multiple permission sets. In this way, theusers can gain access to the components of a system.

In some an on-demand database service environments, an ApplicationProgramming Interface (API) may be configured to expose a collection ofpermissions and their assignments to users through appropriatenetwork-based services and architectures, for instance, using SimpleObject Access Protocol (SOAP) Web Service and Representational StateTransfer (REST) APIs.

In some implementations, a permission set may be presented to anadministrator as a container of permissions. However, each permission insuch a permission set may reside in a separate API object exposed in ashared API that has a child-parent relationship with the same permissionset object. This allows a given permission set to scale to millions ofpermissions for a user while allowing a developer to take advantage ofjoins across the API objects to query, insert, update, and delete anypermission across the millions of possible choices. This makes the APIhighly scalable, reliable, and efficient for developers to use.

In some implementations, a permission set API constructed using thetechniques disclosed herein can provide scalable, reliable, andefficient mechanisms for a developer to create tools that manage auser's permissions across various sets of access controls and acrosstypes of users. Administrators who use this tooling can effectivelyreduce their time managing a user's rights, integrate with externalsystems, and report on rights for auditing and troubleshooting purposes.By way of example, different users may have different capabilities withregard to accessing and modifying application and database information,depending on a user's security or permission level, also calledauthorization. In systems with a hierarchical role model, users at onepermission level may have access to applications, data, and databaseinformation accessible by a lower permission level user, but may nothave access to certain applications, database information, and dataaccessible by a user at a higher permission level.

As discussed above, system 516 may provide on-demand database service touser systems 512 using an MTS arrangement. By way of example, one tenantorganization may be a company that employs a sales force where eachsalesperson uses system 516 to manage their sales process. Thus, a userin such an organization may maintain contact data, leads data, customerfollow-up data, performance data, goals and progress data, etc., allapplicable to that user's personal sales process (e.g., in tenant datastorage 522). In this arrangement, a user may manage his or her salesefforts and cycles from a variety of devices, since relevant data andapplications to interact with (e.g., access, view, modify, report,transmit, calculate, etc.) such data may be maintained and accessed byany user system 512 having network access.

When implemented in an MTS arrangement, system 516 may separate andshare data between users and at the organization-level in a variety ofmanners. For example, for certain types of data each user's data mightbe separate from other users' data regardless of the organizationemploying such users. Other data may be organization-wide data, which isshared or accessible by several users or potentially all users form agiven tenant organization, Thus, some data structures managed by system516 may be allocated at the tenant level while other data structuresmight be managed at the user level. Because an MTS might supportmultiple tenants including possible competitors, the MTS may havesecurity protocols that keep data, applications, and application useseparate. In addition to user-specific data and tenant-specific data,system 516 may also maintain system-level data usable by multipletenants or other data. Such system-level data may include industryreports, news, postings, and the like that are sharable between tenantorganizations.

In some implementations, user systems 512 may be client systemscommunicating with application servers 550 to request and updatesystem-level and tenant-level data from system 516. By way of example,user systems 512 may send one or more queries requesting data of adatabase maintained in tenant data storage 522 and/or system datastorage 524. An application server 550 of system 516 may automaticallygenerate one or more SQL statements (e.g., one or more SQL queries) thatare designed to access the requested data. System data storage 524 maygenerate query plans to access the requested data from the database.

The database systems described herein may be used for a variety ofdatabase applications. By way of example, each database can generally beviewed as a collection of objects, such as a set of logical tables,containing data fitted into predefined categories. A “table” is onerepresentation of a data object, and may be used herein to simplify theconceptual description of objects and custom objects according to someimplementations. It should be understood that “table” and “object” maybe used interchangeably herein. Each table generally contains one ormore data categories logically arranged as columns or fields in aviewable schema. Each row or record of a table contains an instance ofdata for each category defined by the fields. For example, a CRMdatabase may include a table that describes a customer with fields forbasic contact information such as name, address, phone number, faxnumber, etc. Another table might describe a purchase order, includingfields for information such as customer, product, sale price, date, etc.In some multi-tenant database systems, standard entity tables might beprovided for use by all tenants. A table may include seed values foreach user associated with a web application. These seed values may beused, as described above, to generate transient encryption keys. For CRMdatabase applications, such standard entities might include tables forcase, account, contact, lead, and opportunity data objects, eachcontaining pre-defined fields. It should be understood that the word“entity” may also be used interchangeably herein with “object” and“table”.

In some implementations, tenants may be allowed to create and storecustom objects, or they may be allowed to customize standard entities orobjects, for example by creating custom fields for standard objects,including custom index fields. Commonly assigned U.S. Pat. No.7,779,039, titled CUSTOM ENTITIES AND FIELDS IN A MULTI-TENANT DATABASESYSTEM, by Weissman et al., issued on Aug. 17, 2010, and herebyincorporated by reference in its entirety and for all purposes, teachessystems and methods for creating custom objects as well as customizingstandard objects in an MTS. In certain implementations, for example, allcustom entity data rows may be stored in a single multi-tenant physicaltable, which may contain multiple logical tables per organization. Itmay be transparent to customers that their multiple “tables” are in factstored in one large table or that their data may be stored in the sametable as the data of other customers.

FIG. 6A shows a system diagram of an example of architectural componentsof an on-demand database service environment 600, configured inaccordance with some implementations. A client machine located in thecloud 604 may communicate with the on-demand database serviceenvironment via one or more edge routers 608 and 612. A client machinemay include any of the examples of user systems 512 described above. Theedge routers 608 and 612 may communicate with one or more core switches620 and 624 via firewall 616. The core switches may communicate with aload balancer 628, which may distribute server load over different pods,such as the pods 640 and 644 by communication via pod switches 632 and636. The pods 640 and 644, which may each include one or more serversand/or other computing resources, may perform data processing and otheroperations used to provide on-demand services. Components of theenvironment may communicate with a database storage 656 via a databasefirewall 648 and a database switch 652.

Accessing an on-demand database service environment may involvecommunications transmitted among a variety of different components. Theenvironment 600 is a simplified representation of an actual on-demanddatabase service environment. For example, some implementations of anon-demand database service environment may include anywhere from one tomany devices of each type. Additionally, an on-demand database serviceenvironment need not include each device shown, or may includeadditional devices not shown, in FIGS. 6A and 6B.

The cloud 604 refers to any suitable data network or combination of datanetworks, which may include the Internet. Client machines located in thecloud 604 may communicate with the on-demand database serviceenvironment 600 to access services provided by the on-demand databaseservice environment 600. By way of example, client machines may accessthe on-demand database service environment 600 to retrieve, store, edit,and/or process CRM information.

In some implementations, the edge routers 608 and 612 route packetsbetween the cloud 604 and other components of the on-demand databaseservice environment 600. The edge routers 608 and 612 may employ theBorder Gateway Protocol (BGP). The edge routers 608 and 612 may maintaina table of IP networks or ‘prefixes’, which designate networkreachability among autonomous systems on the Internet.

In one or more implementations, the firewall 616 may protect the innercomponents of the environment 600 from Internet traffic. The firewall6:16 may block, permit, or deny access to the inner components of theon-demand database service environment 600 based upon a set of rulesand/or other criteria. The firewall 616 may act as one or more of apacket filter, an application gateway, a stateful filter, a proxyserver, or any other type of firewall.

In some implementations, the core switches 620 and 624 may behigh-capacity switches that transfer packets within the environment 600.The core switches 620 and 624 may be configured as network bridges thatquickly route data between different components within the on-demanddatabase service environment. The use of two or more core switches 620and 624 may provide redundancy and/or reduced latency.

In some implementations, communication between the pods 640 and 644 maybe conducted via the pod switches 632 and 636. The pod switches 632 and636 may facilitate communication between the pods 640 and 644 and clientmachines, for example via core switches 620 and 624. Also oralternatively, the pod switches 632 and 636 may facilitate communicationbetween the pods 640 and 644 and the database storage 656. The loadbalancer 628 may distribute workload between the pods, which may assistin improving the use of resources, increasing throughput, reducingresponse times, and/or reducing overhead. The load balancer 628 mayinclude multilayer switches to analyze and forward traffic.

In some implementations, access to the database storage 656 may beguarded by a database firewall 648, which may act as a computerapplication firewall operating at the database application layer of aprotocol stack. The database firewall 648 may protect the databasestorage 656 from application attacks such as structure query language(SQL) injection, database rootkits, and unauthorized informationdisclosure. The database firewall 648 may include a host using one ormore forms of reverse proxy services to proxy traffic before passing itto a gateway router and/or may inspect the contents of database trafficand block certain content or database requests. The database firewall648 may work on the SQL application level atop the TCP/IP stack,managing applications' connection to the database or SQL managementinterfaces as well as intercepting and enforcing packets traveling to orfrom a database network or application interface.

In some implementations, the database storage 656 may be an on-demanddatabase system shared by many different organizations. The on-demanddatabase service may employ a single-tenant approach, a multi-tenantapproach, a virtualized approach, or any other type of databaseapproach. Communication with the database storage 656 may be conductedvia the database switch 652. The database storage 656 may includevarious software components for handling database queries. Accordingly,the database switch 652 may direct database queries transmitted by othercomponents of the environment (e.g., the pods 640 and 644) to thecorrect components within the database storage 656.

FIG. 6B shows a system diagram further illustrating an example ofarchitectural components of an on-demand database service environment,in accordance with some implementations. The pod 644 may be used torender services to user(s) of the on-demand database service environment600. The pod 644 may include one or more content batch servers 664,content search servers 668, query servers 682, file servers 686, accesscontrol system (ACS) servers 680, batch servers 684, and app servers688. Also, the pod 644 may include database instances 690, quick filesystems (QFS) 692, and indexers 694. Some or all communication betweenthe servers in the pod 644 may be transmitted via the switch 636.

In some implementations, the app servers 688 may include a frameworkdedicated to the execution of procedures (e.g., programs, routines,scripts) for supporting the construction of applications provided by theon-demand database service environment 600 via the pod 644, One or moreinstances of the app server 688 may be configured to execute all or aportion of the operations of the services described herein.

In some implementations, as discussed above, the pod 644 may include oneor more database instances 690. A database instance 690 may beconfigured as an MTS in which different organizations share access tothe same database, using the techniques described above. Databaseinformation may be transmitted to the indexer 694, which may provide anindex of information available in the database 690 to file servers 686.The QFS 692 or other suitable filesystem may serve as a rapid-accessfile system for storing and accessing information available within thepod 644. The QFS 692 may support volume management capabilities,allowing many disks to be grouped together into a file system. The QFS692 may communicate with the database instances 690, content searchservers 668 and/or indexers 694 to identify, retrieve, move, and/orupdate data stored in the network file systems (NFS) 696 and/or otherstorage systems.

In some implementations, one or more query servers 682 may communicatewith the NFS 696 to retrieve and/or update information stored outside ofthe pod 644. The NFS 696 may allow servers located in the pod 644 toaccess information over a network in a manner similar to how localstorage is accessed. Queries from the query servers 622 may betransmitted to the NFS 696 via the load balancer 628, which maydistribute resource requests over various resources available in theon-demand database service environment 600. The NFS 696 may alsocommunicate with the QFS 692 to update the information stored on the NFS696 and/or to provide information to the QFS 692 for use by serverslocated within the pod 644.

In some implementations, the content batch servers 664 may handlerequests internal to the pod 644. These requests may be long-runningand/or not tied to a particular customer, such as requests related tolog mining, cleanup work, and maintenance tasks. The content searchservers 668 may provide query and indexer functions such as functionsallowing users to search through content stored in the on-demanddatabase service environment 600. The file servers 686 may managerequests for information stored in the file storage 698, which may storeinformation such as documents, images, basic large objects (BLOBs), etc.The query servers 682 may be used to retrieve information from one ormore file systems. For example, the query system 682 may receiverequests for information from the app servers 688 and then transmitinformation queries to the NFS 696 located outside the pod 644. The ACSservers 680 may control access to data, hardware resources, or softwareresources called upon to render services provided by the pod 644. Thebatch servers 684 may process batch jobs, which are used to run tasks atspecified times. Thus, the batch servers 684 may transmit instructionsto other servers, such as the app servers 688, to trigger the batchjobs.

While some of the disclosed implementations may be described withreference to a system having an application server providing a front endfor an on-demand database service capable of supporting multipletenants, the disclosed implementations are not limited to multi-tenantdatabases nor deployment on application servers. Some implementationsmay be practiced using various database architectures such as ORACLE®,DB2® by IBM and the like without departing from the scope of presentdisclosure.

FIG. 7 illustrates one example of a computing device. According tovarious embodiments, a system 700 suitable for implementing embodimentsdescribed herein includes a processor 701, a memory module 703, astorage device 705, an interface 711, and a bus 715 (e.g., a PCI bus orother interconnection fabric.) System 700 may operate as variety ofdevices such as an application server, a database server, or any otherdevice or service described herein. Although a particular configurationis described, a variety of alternative configurations are possible. Theprocessor 701 may perform operations such as those described herein.Instructions for performing such operations may be embodied in thememory 703, on one or more non-transitory computer readable media, or onsome other storage device. Various specially configured devices can alsobe used in place of or in addition to the processor 701, The interface711 may be configured to send and receive data packets over a network.Examples of supported interfaces include, but are not limited to:Ethernet, fast Ethernet, Gigabit Ethernet, frame relay, cable, digitalsubscriber line (DSL), token ring, Asynchronous Transfer Mode (ATM),High-Speed Serial Interface (HSSI), and Fiber Distributed Data Interface(FDDI), These interfaces may include ports appropriate for communicationwith the appropriate media. They may also include an independentprocessor and/or volatile RAM. A computer system or computing device mayinclude or communicate with a monitor, printer, or other suitabledisplay for providing any of the results mentioned herein to a user.

Any of the disclosed implementations may be embodied in various types ofhardware, software, firmware, computer readable media, and combinationsthereof. For example, some techniques disclosed herein may beimplemented, at least in part, by computer-readable media that includeprogram instructions, state information, etc., for configuring acomputing system to perform various services and operations describedherein. Examples of program instructions include both machine code, suchas produced by a compiler, and higher-level code that may be executedvia an interpreter. Instructions may be embodied in any suitablelanguage such as, for example, Apex, Java, Python, C++, C, HTML, anyother markup language, JavaScript, ActiveX, VBScript, or Perl, Examplesof computer-readable media include, but are not limited to: magneticmedia such as hard disks and magnetic tape; optical media such as flashmemory, compact disk (CD) or digital versatile disk (DVD);magneto-optical media; and other hardware devices such as read-onlymemory (“ROM”) devices and random-access memory (“RAM”) devices. Acomputer-readable medium may be any combination of such storage devices.

In the foregoing specification, various techniques and mechanisms mayhave been described in singular form for clarity. However, it should benoted that some embodiments include multiple iterations of a techniqueor multiple instantiations of a mechanism unless otherwise noted. Forexample, a system uses a processor in a variety of contexts but can usemultiple processors while remaining within the scope of the presentdisclosure unless otherwise noted. Similarly, various techniques andmechanisms may have been described as including a connection between twoentities. However, a connection does not necessarily mean a direct,unimpeded connection, as a variety of other entities (e.g., bridges,controllers, gateways, etc.) may reside between the two entities.

In the foregoing specification, reference was made in detail to specificembodiments including one or more of the best modes contemplated by theinventors. While various implementations have been described herein, itshould be understood that they have been presented by way of exampleonly, and not limitation. For example, some techniques and mechanismsare described herein in the context of on-demand computing environmentsthat include MTSs. However, the techniques of disclosed herein apply toa wide variety of computing environments. Particular embodiments may beimplemented without some or all of the specific details describedherein. In other instances, well known process operations have not beendescribed in detail in order to avoid unnecessarily obscuring thedisclosed techniques. Accordingly, the breadth and scope of the presentapplication should not be limited by any of the implementationsdescribed herein, but should be defined only in accordance with theclaims and their equivalents.

1. A security system implemented by one or more processors, the securitysystem being configurable to cause: processing a request for atransaction between a client system and a server system, the transactionbeing associated with transmission of data between the client system andthe server system; encrypting, using a transient encryption key, thedata to form encrypted data, the transient encryption key being asynced-clock random number configured to automatically change when adesignated time interval elapses, the synced-clock random number beingaccessible to the server system and the client system, the synced-clockrandom number being based on a designated clock accessible to the serverand the client system; and transmitting the encrypted data between theclient system and the server system, the encrypted data beingconfigurable to be decrypted at the server system or the client systembased on the transient encryption key.
 2. The security system of claim1, the security system further configurable to cause: generating a seedvalue, the seed value being a random alpha-numeric entity; transmitting,via a channel separate from the transaction, the seed value to theclient system; generating, based on the seed value and a time-stampassociated with the designated clock, the transient encryption key; and3. The security system of claim 2, the security system furtherconfigurable to cause: evaluating that the seed has been appliedcorrectly by processing a checksum of an initial value of the transientencryption key received from the client system.
 4. The security systemof claim 2, wherein generating the transient encryption key comprisesapplying, using the seed value and the time-stamp, a secure hashalgorithm (SHA), the time-stamp being based on the designated clock. 5.The security system of claim 1, the security system further configurableto cause: applying, before transmitting the encrypted data between theclient system and the server system, transport layer security (TLS)encryption to the encrypted data.
 6. The security system of claim 1,wherein the encrypted data is transmitted between the client system andthe server system without TLS encryption.
 7. The security system ofclaim 1, wherein encryption of the data occurs at an application layerassociated with a web application being interacted with by a user of theclient system, the web application being hosted by the server system. 8.The security system of claim 1, wherein encryption of the data occurs atan application layer associated with a mobile application beinginteracted with by a user of the client system, the client system beinga mobile device.
 9. The security system of claim 8, wherein the mobileapplication comprises a customer relationship management (CRM) platformand/or a social networking system provided to a plurality of tenantorganizations via an on-demand computing environment.
 10. The securitysystem of claim 1, wherein encrypting the data to form encrypted data isperformed by one or more of: a browser plug-in operating at the clientsystem, a web browser operating at the client system, or an applicationoperating at the client system.
 11. The security system of claim 9,wherein the security system is configured to automatically interceptfurther transactions between the client system and the server system.12. A method comprising: receiving a request for a transaction between aclient system and a server system, the transaction being associated withtransmission of data between the client system and the server system;using one or more processors, encrypting, using a transient encryptionkey, the data to form encrypted data, the transient encryption key beinga synced-clock random number configured to automatically change when adesignated time interval elapses, the synced-clock random number beingaccessible to the server system and the client system, the synced-clockrandom number being based on a designated clock accessible to the serverand the client system; and transmitting the encrypted data between theclient system and the server system, the encrypted data beingconfigurable to be decrypted at the server system or the client systembased on the transient encryption key.
 13. The method of claim 10, themethod further comprising: generating a seed value, the seed value beinga random alpha-numeric entity; transmitting, via a channel separate fromthe transaction, the seed value to the client system; generating, basedon the seed value and a time-stamp associated with the designated clock,the transient encryption key; and evaluating that the seed has beenapplied correctly by processing a checksum of an initial value of thetransient encryption key received from the client system.
 14. The methodof claim 13, wherein generating the transient encryption key comprisesapplying, using the seed value and the time-stamp, a secure hashalgorithm (SHA), the time-stamp being based on the designated clock. 15.The method of claim 12, the method further comprising: applying, beforetransmitting the encrypted data between the client system and the serversystem, transport layer security (TLS) encryption to the encrypted data.16. The method of claim 12, wherein the encrypted data is transmittedbetween the client system and the server system without TLS encryption.17. A computer program product comprising computer-readable program codecapable of being executed by one or more processors when retrieved froma non-transitory computer-readable medium, the program code comprisinginstructions configurable to cause: processing a request for atransaction between a client system and a server system, the transactionbeing associated with transmission of data between the client system andthe server system; encrypting, using a transient encryption key, thedata to form encrypted data, the transient encryption key being asynced-clock random number configured to automatically change when adesignated time interval elapses, the synced-clock random number beingaccessible to the server system and the client system, the synced-clockrandom number being based on a designated clock accessible to the serverand the client system; and transmitting the encrypted data between theclient system and the server system, the encrypted data beingconfigurable to be decrypted at the server system or the client systembased on the transient encryption key.
 18. The computer program productof claim 17, the instructions further configurable to cause: generatinga seed value, the seed value being a random alpha-numeric entity;transmitting, via a channel separate from the transaction, the seedvalue to the client system; generating, based on the seed value and atime-stamp associated with the designated clock, the transientencryption key; and evaluating that the seed has been applied correctlyby processing a checksum of an initial value of the transient encryptionkey received from the client system.
 19. The computer program product ofclaim 18, wherein generating the transient encryption key comprisesapplying, using the seed value and the time-stamp, a secure hashalgorithm (SHA), the time-stamp being based on the designated dock. 20.The computer program product of claim 17, the instructions furtherconfigurable to cause: applying, before transmitting the encrypted databetween the client system and the server system, transport layersecurity (TLS) encryption to the encrypted data.